diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1f90952 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +routes.txt \ No newline at end of file diff --git a/README.md b/README.md index 5f88647..1069795 100644 --- a/README.md +++ b/README.md @@ -4,13 +4,14 @@ This script uses Openconnect to automatically connect to Cisco Anyconnect VPN se Server address, username, password and 2fa seed is stored in macOS keychain. Feel free to remove them and ask for user input instead. -Additionaly routing for only specific subnets can be set up in `routing.sh` +Additionaly routing for only specific subnets can be added in `routes.txt` ## Setup ``` git clone this repo brew install openconnect +brew install vpn-slice ``` Add server address, username, password and 2fa seed in keychain with these names: @@ -21,6 +22,8 @@ Add server address, username, password and 2fa seed in keychain with these names _For ease of use you can allow automatic keychain access to some of the attributs, but_ **do not allow automatic access to password and especially the 2fa seed**. _It will keep it in memory as long as the script is running._ +Rename routes.txt.sample to routes.txt or create an empty routes.txt and add subnets to be routed through VPN there. + ## Usage ``` diff --git a/routes.txt.sample b/routes.txt.sample new file mode 100644 index 0000000..38f211b --- /dev/null +++ b/routes.txt.sample @@ -0,0 +1,3 @@ +# Rename this file to routes.txt and add subnets to be routed through VPN here. +# Add one subnet per line +# Example: 192.168.15.0/24 diff --git a/routing.sh b/routing.sh old mode 100644 new mode 100755 index cc1f786..c846d37 --- a/routing.sh +++ b/routing.sh @@ -1 +1,61 @@ -#!/bin/bash \ No newline at end of file +#!/bin/bash + +ROUTE_FILE=routes.txt + +VPN_SLICE=vpn-slice + +if ! command -v $VPN_SLICE &> /dev/null +then + echo "$VPN_SLICE is not in path" + + if test -f "/usr/local/Cellar/vpn-slice/0.15/bin/vpn-slice"; then + echo "Found vpn-slice elsewhere" + VPN_SLICE="/usr/local/Cellar/vpn-slice/0.15/bin/vpn-slice" + else + echo "Please make sure vpn-slice is in path" + exit + fi +fi + +if [ "$reason" != "connect" ]; then + $VPN_SLICE + exit +fi + +echo "Setting up routing" + +# Add subnet to list +add_subnet () +{ + IP=${1%/*} + S=${1#*/} + M=$(( 0xffffffff ^ ((1 << (32-S)) -1) )) + MASK="$(( (M>>24) & 0xff )).$(( (M>>16) & 0xff )).$(( (M>>8) & 0xff )).$(( M & 0xff ))" + export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_ADDR=$IP + export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASK=$MASK + export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASKLEN=$S + export CISCO_SPLIT_INC=$(($CISCO_SPLIT_INC + 1)) + + echo "Adding subnet $IP with mask $MASK to list" +} + +# Initialize empty split tunnel list +export CISCO_SPLIT_INC=0 + +# Delete DNS info provided by VPN server to use internet DNS +# Comment following line to use DNS beyond VPN tunnel +unset INTERNAL_IP4_DNS + +if test -f "$ROUTE_FILE"; then + echo "Loading subnets from $ROUTE_FILE" + while read p; do + case "$p" in \#*) continue ;; esac + add_subnet $p + done <$ROUTE_FILE + +else + echo "$ROUTE_FILE does not exist. This should not happen." +fi + +# Load default script +$VPN_SLICE -S diff --git a/run-vpn.sh b/run-vpn.sh index 81676f6..4375914 100755 --- a/run-vpn.sh +++ b/run-vpn.sh @@ -6,6 +6,10 @@ SEED=$(security find-generic-password -l "Openconnect TOTP Seed" -w) PASSWORD=$(security find-generic-password -l "Openconnect Account Password" -w) +SCRIPT=`realpath $0` +SCRIPTPATH=`dirname $SCRIPT` +ROUTE_FILE=routes.txt + # trap ctrl-c and call ctrl_c() trap ctrl_c INT @@ -15,13 +19,20 @@ function ctrl_c() { exit } +SCRIPT_INCLUDE="" + while true; do echo "Connecting to VPN" + if test -f "$ROUTE_FILE"; then + SCRIPT_INCLUDE="--script=\"$SCRIPTPATH/routing.sh\"" + fi + echo $PASSWORD | sudo openconnect \ --csd-wrapper hostscan-bypass.sh \ --passwd-on-stdin \ --os=mac-intel \ + $SCRIPT_INCLUDE \ --token-mode=totp \ --token-secret=sha1:base32:$SEED \ -u $USERNAME \